CVE-2026-55424
Undergoing Analysis Undergoing Analysis - In Progress

Stored XSS in Discourse Topic Featured Links

Vulnerability report for CVE-2026-55424, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a topic "featured link" was not sufficiently normalized and escaped before being rendered in the topic list, allowing a user who can set a featured link to inject JavaScript when default Content Security Policy protections were modified or disabled. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
discourse discourse 2026.6.0
discourse discourse 2026.5.1
discourse discourse 2026.4.2
discourse discourse 2026.1.5
discourse discourse to 2026.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Discourse open-source discussion platform prior to versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5. It involves the "featured link" in a topic, which was not properly normalized and escaped before being displayed in the topic list. Because of this insufficient sanitization, a user who has the ability to set a featured link could inject JavaScript code if the default Content Security Policy protections are modified or disabled.

Impact Analysis

The vulnerability allows a user with permission to set a featured link to inject malicious JavaScript code into the topic list view. This can lead to cross-site scripting (XSS) attacks, potentially compromising the security of users viewing the topic list. The impact depends on whether the default Content Security Policy protections are altered or disabled, which would otherwise mitigate such attacks.

Mitigation Strategies

To mitigate this vulnerability, update your Discourse installation to one of the fixed versions: 2026.6.0, 2026.5.1, 2026.4.2, or 2026.1.5.

Additionally, ensure that the Content Security Policy (CSP) protections are enabled and not modified or disabled, as the vulnerability relies on CSP being weakened.

Compliance Impact

The vulnerability allows a user who can set a featured link to inject JavaScript when default Content Security Policy protections are modified or disabled. This could potentially lead to unauthorized actions or data exposure.

Such unauthorized script injection could impact compliance with standards like GDPR or HIPAA, which require protection of personal data and secure handling of user information, by increasing the risk of data breaches or unauthorized data access.

However, the provided information does not explicitly describe the direct impact on compliance with these regulations.

Detection Guidance

This vulnerability is a stored cross-site scripting (XSS) issue in the Discourse forum software related to the "featured link" in topics. Detection involves identifying if your Discourse instance is running a vulnerable version prior to 2026.6.0, 2026.5.1, 2026.4.2, or 2026.1.5, and whether the default Content Security Policy (CSP) has been modified or disabled.

To detect exploitation attempts or presence of malicious featured links, you can inspect the topic lists for suspicious JavaScript code embedded in featured links.

Suggested commands or steps include:

  • Check the Discourse version installed by running: `bundle exec rails about` or checking the version in the admin dashboard.
  • Review the Content Security Policy headers sent by your server to ensure the default CSP is enabled and does not include 'unsafe-inline' in the script-src directive. You can use curl to check headers: `curl -I https://your-discourse-site.com` and look for the Content-Security-Policy header.
  • Search the database for featured links containing suspicious JavaScript or unsafe characters. For example, if you have database access, run a query like: `SELECT id, featured_link FROM topics WHERE featured_link LIKE '%<script>%' OR featured_link LIKE '%javascript:%';`
  • Monitor web traffic or logs for requests that include suspicious payloads in featured links or unusual script execution in topic lists.

If you find any suspicious featured links or your version is vulnerable and CSP is weakened, it is recommended to upgrade to a patched version or disable the topic_featured_link_enabled setting until patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55424. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart